[Podman] Re: permissions issues to host filesystem when running rootless Vs rootful and question on opening port on container/host

Well…this is embarrassing and want to be honest.  Checked the host and SELinux is disabled. # sudo semanage fcontext -a -e /var/lib/containners/storage /data/storage ValueError: Equivalence class for /data/storage already exists # sudo restorecon -R -v /data/storage Still not sure why see ? for the files/directories when using ls -alZ against them.

*From:* Daniel Walsh <dwalsh(a)redhat.com&gt; *Sent:* Wednesday, October 6, 2021 12:46 PM *To:* Miller, Christopher (NE) <Christopher.Miller(a)gd-ms.com>; Leon N <leon9923(a)gmail.com&gt; *Cc:* podman mailing list <podman(a)lists.podman.io&gt; *Subject:* Re: [Podman] Re: permissions issues to host filesystem when running rootless Vs rootful and question on opening port on container/host *External E-mail *--- CAUTION: This email originated from outside GDMS. Do not click links or open attachments unless you recognize the sender and know the content is safe. On 10/6/21 12:23, Christopher.Miller(a)gd-ms.com wrote: Just so I understand. I created a generic directory /data/storage for the Nexus container to write to.  So it sounds like the default storage for containers is /var/lib/containers/storage?  And should be placing container storage here? Thanks Correct.  I believe the issue you are having is in the podman storage, not inside of the container. *From:* Daniel Walsh <dwalsh(a)redhat.com&gt; <mailto:dwalsh@redhat.com> *Sent:* Wednesday, October 6, 2021 12:07 PM *To:* Miller, Christopher (NE) <Christopher.Miller(a)gd-ms.com&gt; <mailto:Christopher.Miller@gd-ms.com>; Leon N <leon9923(a)gmail.com&gt; <mailto:leon9923@gmail.com> *Cc:* podman mailing list <podman(a)lists.podman.io&gt; <mailto:podman@lists.podman.io> *Subject:* Re: [Podman] Re: permissions issues to host filesystem when running rootless Vs rootful and question on opening port on container/host *External E-mail *--- CAUTION: This email originated from outside GDMS. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you move the location of storage to a different directlry you need to set the SELinux labels. # semanage fcontext -a -e /var/lib/containers/storage /storage # restorecon -R -v /storage Probably should add something like this to the storage.conf and to the man page. On 10/6/21 11:28, Christopher.Miller(a)gd-ms.com wrote: From the host, xfs file system for /opt/nexus and /data/storage From the container, noticed that /storage is xfs but /opt/sonatype shows overlay (I’m reading up on overlay now) usera@hosta /]$ cat /etc/redhat-release ; podman info Red Hat Enterprise Linux release 8.1 (Ootpa) host:   BuildahVersion: 1.9.0   Conmon:     package: podman-1.4.2-5.module+el8.1.0+4240+893c1ab8.x86_64     path: /usr/libexec/podman/conmon     version: 'conmon version 2.0.1-dev, commit: unknown'   Distribution:     distribution: '"rhel"'     version: "8.1"   MemFree: 260805922816   MemTotal: 270091517952   OCIRuntime:     package: runc-1.0.0-60.rc8.module+el8.1.0+4081+b29780af.x86_64     path: /usr/bin/runc     version: 'runc version spec: 1.0.1-dev'   SwapFree: 8589930496   SwapTotal: 8589930496   arch: amd64   cpus: 56   hostname: hosta   kernel: 4.18.0-147.5.1.el8_1.x86_64   os: linux   rootless: true   uptime: 116h 31m 31.21s (Approximately 4.83 days) registries:   blocked: null   insecure: null   search:   - hosta.XXX.enclave:8090   - registry.redhat.io   - registry.access.redhat.com   - quay.io   - docker.io store:   ConfigFile: /home/usera/.config/containers/storage.conf   ContainerStore:     number: 0   GraphDriverName: overlay   GraphOptions:   - overlay.mount_program=/usr/bin/fuse-overlayfs   GraphRoot: /home/usera/.local/share/containers/storage   GraphStatus:     Backing Filesystem: xfs     Native Overlay Diff: "false"     Supports d_type: "true"     Using metacopy: "false"   ImageStore:     number: 7   RunRoot: /run/user/2229   VolumePath: /home/usera/.local/share/containers/storage/volumes *From:* Daniel Walsh <dwalsh(a)redhat.com&gt; <mailto:dwalsh@redhat.com> *Sent:* Wednesday, October 6, 2021 11:05 AM *To:* Miller, Christopher (NE) <Christopher.Miller(a)gd-ms.com&gt; <mailto:Christopher.Miller@gd-ms.com>; Leon N <leon9923(a)gmail.com&gt; <mailto:leon9923@gmail.com> *Cc:* podman mailing list <podman(a)lists.podman.io&gt; <mailto:podman@lists.podman.io> *Subject:* Re: [Podman] Re: permissions issues to host filesystem when running rootless Vs rootful and question on opening port on container/host *External E-mail *--- CAUTION: This email originated from outside GDMS. Do not click links or open attachments unless you recognize the sender and know the content is safe. What Filesystem is stored on /opt an d/nexus-data Did you install storage in a different path then /var/lib/containers/storage. I guess attaching podman info output would help. On 10/6/21 10:50, Christopher.Miller(a)gd-ms.com wrote: Here is my SELinux output both from the host and container.  I’m getting a lot “?” characters on the host, when I think I should be seeing the user, role and type label defined. I’ve googled around based on those results and not finding anything. I’ve tried to restorecon -R -v on those volumes and nothing changed. Volume Mounts host: /opt/nexus container: /nexus-data host: /data/storage container: /storage From the host [usera@hosta /]$ sudo ls -alZ /opt/nexus [sudo] password for usera: total 24 drwxr-x---   15   755 nexus ?                           254 Oct  5 14:48 . drwxr-xr-x.  13 nexus nexus system_u:object_r:usr_t:s0  214 Oct  4 10:13 .. drwxr-xr-x    3 root  root ?                            21 Oct  4 10:37 blobs drwxr-xr-x  323 root  root ?                          8192 Oct  5 14:48 cache drwxr-xr-x    6 root  root ?                           113 Oct  4 10:37 db drwxr-xr-x    3 root  root ?                            36 Oct  4 11:11 elasticsearch drwxr-xr-x    3 root  root ?                            45 Oct  5 14:30 etc drwxr-xr-x    2 root  root ?                             6 Oct  4 10:36 generated-bundles drwxr-xr-x    2 root  root ?                            33 Oct  4 10:36 instances drwxr-xr-x    3 root  root ?                            19 Oct  4 10:36 javaprefs -rw-r--r--    1 root  root ?                             1 Oct  5 14:48 karaf.pid drwxr-xr-x    3 root  root ?                            18 Oct  4 10:37 keystores -rw-r--r--    1 root  root ?                            14 Oct  5 14:48 lock drwxr-xr-x    4 root  root ?                           220 Oct  5 20:00 log drwxr-xr-x    2 root  root ?                             6 Oct  4 10:37 orient -rw-r--r--    1 root  root ?                             5 Oct  5 14:48 port drwxr-xr-x    2 root  root ?                             6 Oct  4 10:37 restore-from-backup drwxr-xr-x    8 root  root ?                           261 Oct  5 14:48 tmp [usera@hosta /]$ sudo ls -alZ /data/storage total 24 drwxr-xr-x 2   200   200 ?  172 Oct  5 13:00 . drwxr-x--- 3 nexus nexus ?   21 Aug 26 13:41 .. -rw-r----- 1 root  root  ? 1992 Oct  5 13:00 ISSUINGCA-CORP_intermediate_cert.cer -rw-r--r-- 1 root  root  ? 6582 Oct  5 13:03 nexus-hosta.enclave.jks -rw-r--r-- 1 root  root  ? 1221 Oct  5 12:42 nexus-hosta.enclave.pem -rw-r----- 1 root  root  ? 2532 Oct  5 13:00 nexus-hosta_server_crt.cer -rw-r----- 1 root  root  ? 1302 Oct  5 13:00 ROOTCA-CORP.cer From the container [root@6ca25b429eb1 /]# sestatus bash: sestatus: command not found [root@6ca25b429eb1 /]# whereis selinux selinux: /etc/selinux /usr/libexec/selinux [root@6ca25b429eb1 /]# ls -al /etc/selinux total 4 drwxr-xr-x 1 root root    6 Oct  6 13:49 . drwxr-xr-x 1 root root   21 Mar  4  2021 .. -rw-r--r-- 1 root root 2425 Jun 29  2020 semanage.conf [root@6ca25b429eb1 /]# ls -alZ /nexus-data total 24 drwxr-x---  15  755 1005 ?  254 Oct  5 18:48 . drwxr-xr-x   1 root root ?   77 Oct  5 14:12 .. drwxr-xr-x   3 root root ?   21 Oct  4 14:37 blobs drwxr-xr-x 323 root root ? 8192 Oct  5 18:48 cache drwxr-xr-x   6 root root ?  113 Oct  4 14:37 db drwxr-xr-x   3 root root ?   36 Oct  4 15:11 elasticsearch drwxr-xr-x   3 root root ?   45 Oct  5 18:30 etc drwxr-xr-x   2 root root ?    6 Oct  4 14:36 generated-bundles drwxr-xr-x   2 root root ?   33 Oct  4 14:36 instances drwxr-xr-x   3 root root ?   19 Oct  4 14:36 javaprefs -rw-r--r--   1 root root ?    1 Oct  5 18:48 karaf.pid drwxr-xr-x   3 root root ?   18 Oct  4 14:37 keystores -rw-r--r--   1 root root ?   14 Oct  5 18:48 lock drwxr-xr-x   4 root root ?  220 Oct  6 00:00 log drwxr-xr-x   2 root root ?    6 Oct  4 14:37 orient -rw-r--r--   1 root root ?    5 Oct  5 18:48 port drwxr-xr-x   2 root root ?    6 Oct  4 14:37 restore-from-backup drwxr-xr-x   8 root root ?  261 Oct  5 18:48 tmp [root@6ca25b429eb1 /]# ls -laZ /storage total 24 drwxr-xr-x 2 nexus nexus ?  172 Oct  5 17:00 . drwxr-xr-x 1 root  root  ?   77 Oct  5 14:12 .. -rw-r----- 1 root  root  ? 1992 Oct  5 17:00 ISSUINGCA-CORP_intermediate_cert.cer -rw-r----- 1 root  root  ? 1302 Oct  5 17:00 ROOTCA-CORP.cer -rw-r--r-- 1 root  root  ? 6582 Oct  5 17:03 nexus-hosta.enclave.jks -rw-r--r-- 1 root  root  ? 1221 Oct  5 16:42 nexus-hosta.enclave.pem -rw-r----- 1 root  root  ? 2532 Oct  5 17:00 nexus-hosta_server_crt.cer Thanks again *From:* Leon N <leon9923(a)gmail.com&gt; <mailto:leon9923@gmail.com> *Sent:* Wednesday, October 6, 2021 8:29 AM *To:* Miller, Christopher (NE) <Christopher.Miller(a)gd-ms.com&gt; <mailto:Christopher.Miller@gd-ms.com> *Cc:* dwalsh(a)redhat.com; podman mailing list <podman(a)lists.podman.io&gt; <mailto:podman@lists.podman.io> *Subject:* Re: [Podman] Re: permissions issues to host filesystem when running rootless Vs rootful and question on opening port on container/host *External E-mail *--- CAUTION: This email originated from outside GDMS. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hey, These would be run on the host You can also change the restorecon parameters to restore the contexts for the storage you mounted sudo restorecon -R -v <path to storage> Doing ls -laZ on the storage you mount in the container,  will also give everyone here insights on the selinux contexts Regards, Leon On Wed, 6 Oct, 2021, 17:43 Christopher.Miller(a)gd-ms.com, <Christopher.Miller(a)gd-ms.com&gt; wrote: Sorry I’m not clear where I want to run these commands, on the host or the container? thanks *From:* Daniel Walsh <dwalsh(a)redhat.com&gt; *Sent:* Tuesday, October 5, 2021 7:10 PM *To:* podman(a)lists.podman.io *Subject:* [Podman] Re: permissions issues to host filesystem when running rootless Vs rootful and question on opening port on container/host I am guessing this is an SELinux issue.  Perhaps sudo restorecon -R -v /var/lib/containers Might fix it. You can run `sudo ausearch -m avc -ts recent` After it fails to see if SELinux is involved. _______________________________________________ Podman mailing list -- podman(a)lists.podman.io To unsubscribe send an email to podman-leave(a)lists.podman.io